CVE-2025-25291
Authentication Bypass vulnerability in ruby-saml (RubyGems)
What is CVE-2025-25291 About?
This authentication bypass vulnerability in ruby-saml is due to a parser differential, where REXML and Nokogiri interpret XML differently. This discrepancy allows for Signature Wrapping attacks. Such an attack could allow an attacker to bypass authentication mechanisms.
Affected Software
- ruby-saml
- <1.12.4
- >=1.13.0, <1.18.0
Technical Details
The vulnerability stems from a parser differential between REXML and Nokogiri XML parsers when processing SAML assertions in ruby-saml. These parsers can generate entirely different document structures from the same XML input. An attacker can craft a SAML response that appears valid to one parser (e.g., Nokogiri, used for signature validation) but is interpreted differently by another (e.g., REXML, used for content extraction). This allows for a 'Signature Wrapping' attack where a valid signature can be applied to an attacker-controlled assertion, effectively bypassing authentication.
What is the Impact of CVE-2025-25291?
Successful exploitation may allow attackers to gain unauthorized access to applications or services that rely on SAML authentication, impersonate legitimate users, or bypass access controls.
What is the Exploitability of CVE-2025-25291?
Exploitation of this vulnerability is of medium complexity, as it requires crafting specific XML input that exploits parser differences. No authentication is required to initiate the attack against the SAML endpoint, but the goal is to bypass the authentication process itself. No specific privileges are necessary beyond the ability to send SAML requests. This is a remote attack, as the crafted SAML assertion is sent over the network. The presence of applications using ruby-saml with differing XML parsers for validation and consumption significantly increases the likelihood of a successful exploit.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-25291?
Available Upgrade Options
- ruby-saml
- <1.12.4 → Upgrade to 1.12.4
- ruby-saml
- >=1.13.0, <1.18.0 → Upgrade to 1.18.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
- https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
- https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml
- https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
- https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
- https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
- https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
- https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
What are Similar Vulnerabilities to CVE-2025-25291?
Similar Vulnerabilities: CVE-2020-25298 , CVE-2018-0796 , CVE-2017-1000490 , CVE-2017-11427
